Wireshark-bugs: [Wireshark-bugs] [Bug 12750] New: AddressSanitizer: global-buffer-overflow on ad
Date: Tue, 16 Aug 2016 20:28:05 +0000
Bug ID 12750
Summary AddressSanitizer: global-buffer-overflow on address 0x7fd2775186a0
Product Wireshark
Version Git
Hardware x86-64
OS Ubuntu
Status UNCONFIRMED
Severity Major
Priority Low
Component TShark
Assignee bugzilla-admin@wireshark.org
Reporter mtowalski@pentest.net.pl

Created attachment 14816 [details]
PoC

Build Information:
TShark (Wireshark) 2.3.0 (v2.3.0rc0-312-g13d0d10 from master)

Copyright 1998-2016 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) without libpcap, with GLib 2.40.2, with zlib 1.2.8, without
SMI, without c-ares, without Lua, with GnuTLS 2.12.23, with Gcrypt 1.5.3, with
MIT Kerberos, without GeoIP.

Running on Linux 4.2.0-27-generic, with locale LC_CTYPE=en_US.UTF-8,
LC_NUMERIC=pl_PL.UTF-8, LC_TIME=pl_PL.UTF-8, LC_COLLATE=en_US.UTF-8,
LC_MONETARY=pl_PL.UTF-8, LC_MESSAGES=en_US.UTF-8, LC_PAPER=pl_PL.UTF-8,
LC_NAME=pl_PL.UTF-8, LC_ADDRESS=pl_PL.UTF-8, LC_TELEPHONE=pl_PL.UTF-8,
LC_MEASUREMENT=pl_PL.UTF-8, LC_IDENTIFICATION=pl_PL.UTF-8, with GnuTLS 2.12.23,
with Gcrypt 1.5.3, with zlib 1.2.8.
Intel(R) Core(TM) i7 CPU         860  @ 2.80GHz (with SSE4.2)

Built using clang 4.2.1 Compatible Clang 3.9.0 (trunk 274369).

--
=================================================================
==21947==ERROR: AddressSanitizer: global-buffer-overflow on address
0x7fd2775186a0 at pc 0x7fd26c1d9cfb bp 0x7ffcd5176770 sp 0x7ffcd5176768
READ of size 4 at 0x7fd2775186a0 thread T0
    #0 0x7fd26c1d9cfa in attach_fp_info
/media/Fuzzing/Targets/wireshark/epan/dissectors/packet-catapult-dct2000.c:1591:45
    #1 0x7fd26c1d9cfa in dissect_catapult_dct2000
/media/Fuzzing/Targets/wireshark/epan/dissectors/packet-catapult-dct2000.c:2206
    #2 0x7fd26bd7a2fd in call_dissector_through_handle
/media/Fuzzing/Targets/wireshark/epan/packet.c:649:8
    #3 0x7fd26bd7a2fd in call_dissector_work
/media/Fuzzing/Targets/wireshark/epan/packet.c:724
    #4 0x7fd26bd79ea1 in dissector_try_uint_new
/media/Fuzzing/Targets/wireshark/epan/packet.c:1188:9
    #5 0x7fd26c4fb165 in dissect_frame
/media/Fuzzing/Targets/wireshark/epan/dissectors/packet-frame.c:507:11
    #6 0x7fd26bd7a2fd in call_dissector_through_handle
/media/Fuzzing/Targets/wireshark/epan/packet.c:649:8
    #7 0x7fd26bd7a2fd in call_dissector_work
/media/Fuzzing/Targets/wireshark/epan/packet.c:724
    #8 0x7fd26bd778c8 in call_dissector_only
/media/Fuzzing/Targets/wireshark/epan/packet.c:2780:8
    #9 0x7fd26bd778c8 in call_dissector_with_data
/media/Fuzzing/Targets/wireshark/epan/packet.c:2793
    #10 0x7fd26bd76ecb in dissect_record
/media/Fuzzing/Targets/wireshark/epan/packet.c:532:3
    #11 0x7fd26bd59388 in epan_dissect_run_with_taps
/media/Fuzzing/Targets/wireshark/epan/epan.c:379:2
    #12 0x55e843d7d435 in process_packet
/media/Fuzzing/Targets/wireshark/tshark.c:3433:5
    #13 0x55e843d7d435 in load_cap_file
/media/Fuzzing/Targets/wireshark/tshark.c:3189
    #14 0x55e843d7d435 in main /media/Fuzzing/Targets/wireshark/tshark.c:1893
    #15 0x7fd262aa8f44 in __libc_start_main
/build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287
    #16 0x55e843ca9d15 in _start
(/media/Fuzzing/Targets/wireshark/run/tshark+0x48d15)

0x7fd2775186a0 is located 0 bytes to the right of global variable
'outhdr_values' defined in
'/media/Fuzzing/Targets/wireshark/epan/dissectors/packet-catapult-dct2000.c:283:14'
(0x7fd277518620) of size 128
SUMMARY: AddressSanitizer: global-buffer-overflow
/media/Fuzzing/Targets/wireshark/epan/dissectors/packet-catapult-dct2000.c:1591:45
in attach_fp_info
Shadow bytes around the buggy address:
  0x0ffacee9b080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffacee9b090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffacee9b0a0: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x0ffacee9b0b0: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x0ffacee9b0c0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ffacee9b0d0: 00 00 00 00[f9]f9 f9 f9 00 00 00 00 00 00 00 00
  0x0ffacee9b0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffacee9b0f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffacee9b100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffacee9b110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffacee9b120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==21947==ABORTING


You are receiving this mail because:
  • You are watching all bug changes.